Athene cunicularia kxd is a key exchange daemon, which serves blobs of data (keys) over https.

The main use case is to get keys to open encrypted devices automatically, without having to store them on the local machine.

It's written in Go, and is open source under the MIT licence.


Source code


The server configuration is stored in a root directory (/etc/kxd/data), and within there, with per-key directories (e.g. /etc/kxd/data/host1/key1), each containing the following files:

The basic command line client (kxc) will take the client key and certificate, the expected server certificate, and a URL to the server (like kxd://server/host1/key1), and it will print on standard output the returned key (the contents of the corresponding key file).

There are scripts to tie this with cryptsetup's infrastructure to make the opening of encrypted devices automatic; see cryptsetup/ for the details.